Friday, June 21, 2013

Python - Basic VirusTotal Uploader

Just my little/quick note about submitting malware sample to VirusTotal.com. Be reminded that this python code is not handling an error properly. Just for quick reference.

import postfile
import sys, getopt

def main(argv):
 inputfile = sys.argv[1]
 host = "www.virustotal.com"
 mfile = inputfile
 selector = "https://www.virustotal.com/vtapi/v2/file/scan"
 fields = [("apikey", "YOUR PUBLIC API KEY")]
 file_to_send = open(mfile, "rb").read()
 files = [("file", mfile, file_to_send)]
 json = postfile.post_multipart(host, selector, fields, files)
 print json
 
if __name__ == "__main__":
 main(sys.argv[1:])

You can replace the 'YOUR PUBLIC API KEY' with your own key. Get it at VirusTotal.com.

~ alternat0r

Monday, February 18, 2013

'Business Flash Player' appear to be Facebook spammer


Just received this wild Facebook post that suddenly tagged me for unknown reason. Its look like a community page that received 87 million user 'Like' on it. That's something fishy to me.


This look suspicious to me when the provided URL is unreadable to me. Obviously it is in unicode character or IDN. It's Armenian language there (ask Google translate or Wikipedia).

Well, lets check it out whats so special about this FB post. Once you click on that weird URL you will be redirected to the fastotolike.com. The website looks like some kind of 'auto-like' or click jacking script.


If you click anywhere on the page you will be prompted another strange popup (I'm using Google Chrome for this test). The popup message prompt you to install some kind of plug-in or extension for Chrome. There is multiple popup open up 8 times according to its javascript. See image below:


Looking at the source code you will find there is Turkish language hoping that user will click the 'Add' button.


It's look like the app is available at Google Web Store and disguise as 'Business Flash Player !' With no description and no screenshot, definitely looks fishy. See image below:




If you try to install it you will see your extension appear in the Chrome Extensions list.


Lets take a look on installed extension source code. There is two link which is one of it will be redirect to malicious website. See image below:


The redirect URL will be go to the http://fastotolike.com/yeni.php which is some how reveal its long line comment source code. So, for this test I just uncomment the js code and make it beautiful.



This script is look like responsible to post a spam to the victim user Facebook wall. The post appear to be submit along with picture of random girl dancing on Youtube.